CVE-2026-22777: ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Vulnerability Type: CRLF Injection via ConfigParser
An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior.
Affected Users: Users running ComfyUI-Manager in environments where ComfyUI is configured with the --listen option to allow remote access.
CVSS Score: 7.5 (High)
References
- github.com/Comfy-Org/ComfyUI-Manager
- github.com/Comfy-Org/ComfyUI-Manager/commit/ef8703a3d7ab4e6ecda8f96e0c5816c23d1cb262
- github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410
- github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2
- github.com/advisories/GHSA-562r-8445-54r2
- nvd.nist.gov/vuln/detail/CVE-2026-22777
Code Behaviors & Features
Detect and mitigate CVE-2026-22777 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →